Updates: Read below for the apparent cures!
I had a client call me today that was experiencing a message repeatedly popping up on their Windows 7 computer. The message was “pleaes remove all ity.im ads from your website”. Note that the first word is misspelled (“pleaes” probably meaning “please”). Suspecting some sort of malware, I did some research but found remarkably little information about it. The information I did find was all from within a day or two at the most and did confirm my suspicion of malware. However, I did not find any definitive resolution.
I proceeded with my normal process of sniffing out malware but I did not find anything myself. So I went ahead and ran my usual ace-in-the-hole anti-malware utility Combofix. It removed the following file:
However, the pop-up still occurs.
Looking at the pop-up window in Task Manager, it appears to be tied to explorer.exe. I’ve also noticed that the explorer.exe process is using an unusual amount of CPU (20-40% when seemingly doing nothing), plus its RAM usage goes through the roof, taking up 1 – 3 GB. I would suspect it would use more, except this machine only has 4 GB.
At this point, I’m still researching how to fix the problem and testing various methods to clean it. I’ll update this post as I find a resolution. Please comment below if you have encountered this malware and if you have found a successful resolution.
Update 1: It appears that running TDSSKiller from an external boot device identifies a Rootkit malware, Rootkit.Boot.SST.b. Another commenter suggested that HitmanPro identifies the rootkit as Trojan.MBR.Alureon!IK. Some research shows that these may be the same rootkit with different names. I will continue to monitor the infected PC to ensure it stays clean.
Thanks to commenters “Bretnerjm” and “Carolin Gehle” for their help! And a special shout-out to my friend and fellow virus slayer Rusty Herman. He suggested running TDSSKiller from an external drive to me earlier this morning. I just hadn’t had a chance to test it out until now.
Update 2: For those who are less technically savvy, you may want to try downloading and using Windows Defender Offline. It is a ready-made executable from Microsoft that can create a bootable USB or CD/DVD for dealing with rootkits such as these.
I have not had a chance to try this myself for this particular infection, so I would love to hear any feedback on this method. It appears a few commenters have had success using this method, so this is what I now recommend since it is probably the easiest method for most people.